DevRev
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is mostly a straightforward DevRev API helper, but it gives the agent broad token-backed authority to perform DevRev API operations without clear limits or confirmation guidance.
Install only if you are comfortable letting the agent use a DevRev PAT for the specific tasks you request. Use a narrowly scoped token where possible, verify object IDs before mutations, and require explicit confirmation for updates or deletions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked too broadly, the agent could make unintended changes in DevRev, such as updating work items or using other account-authorized API operations.
The instruction authorizes broad raw API use, not just the narrower issue/ticket workflows, and does not define safeguards for high-impact DevRev changes.
Use when asked to create a DevRev issue or ticket, update an existing work item, search for issues or tickets, list open/closed works, get details about a specific work item by ID, or perform any DevRev API operations.
Limit use to explicit user-requested actions, require confirmation before create/update/delete operations, and prefer a narrowly scoped DevRev token if available.
A mistaken or overbroad instruction could delete DevRev work items if the provided token has permission.
The reference exposes a destructive DevRev endpoint, but the skill does not provide confirmation, reversibility, or containment guidance for using it.
| POST | `/works.delete` | Delete a work item |
Treat delete operations as out of scope unless the user explicitly asks and confirms the exact object ID to delete.
The agent may act with whatever DevRev permissions the supplied PAT has.
A DevRev token is expected for this integration, but it can carry account permissions and the artifacts do not specify least-privilege scope or safe handling beyond the env var.
Requires a DevRev PAT token. Read from env var `DEVREV_TOKEN` or ask the user to provide it.
Use a dedicated, least-privilege token, avoid pasting long-lived secrets into chat, and rotate the token if it is exposed.
Users have limited external context for who maintains the DevRev instructions.
The skill is instruction-only and has no code install, but its provenance is not independently documented in the supplied metadata.
Source: unknown Homepage: none
Review the visible instructions before use and compare API behavior against official DevRev documentation for sensitive operations.